From 509afe252d20dab3a30bcbfba605f3664161257f Mon Sep 17 00:00:00 2001 From: Mariusz Zaborski Date: Tue, 17 Apr 2018 15:03:27 +0200 Subject: [PATCH] Remove MessageIntegrityCheck from context. --- winpr/libwinpr/sspi/NTLM/ntlm.h | 3 +-- winpr/libwinpr/sspi/NTLM/ntlm_compute.c | 8 ++++++-- winpr/libwinpr/sspi/NTLM/ntlm_compute.h | 2 +- winpr/libwinpr/sspi/NTLM/ntlm_message.c | 13 +++++++------ 4 files changed, 15 insertions(+), 11 deletions(-) diff --git a/winpr/libwinpr/sspi/NTLM/ntlm.h b/winpr/libwinpr/sspi/NTLM/ntlm.h index f12d9d5..d4c2404 100644 --- a/winpr/libwinpr/sspi/NTLM/ntlm.h +++ b/winpr/libwinpr/sspi/NTLM/ntlm.h @@ -250,6 +250,7 @@ struct _NTLM_CONTEXT NTLM_NEGOTIATE_MESSAGE NEGOTIATE_MESSAGE; NTLM_CHALLENGE_MESSAGE CHALLENGE_MESSAGE; NTLM_AUTHENTICATE_MESSAGE AUTHENTICATE_MESSAGE; + UINT32 MessageIntegrityCheckOffset; SecBuffer NegotiateMessage; SecBuffer ChallengeMessage; SecBuffer AuthenticateMessage; @@ -272,8 +273,6 @@ struct _NTLM_CONTEXT BYTE ClientSealingKey[16]; BYTE ServerSigningKey[16]; BYTE ServerSealingKey[16]; - BYTE MessageIntegrityCheck[16]; - UINT32 MessageIntegrityCheckOffset; psPeerComputeNtlmHash HashCallback; void* HashCallbackArg; }; diff --git a/winpr/libwinpr/sspi/NTLM/ntlm_compute.c b/winpr/libwinpr/sspi/NTLM/ntlm_compute.c index 4e046b3..018b0ad 100644 --- a/winpr/libwinpr/sspi/NTLM/ntlm_compute.c +++ b/winpr/libwinpr/sspi/NTLM/ntlm_compute.c @@ -21,6 +21,8 @@ #include "config.h" #endif +#include + #include "ntlm.h" #include "../sspi.h" @@ -721,7 +723,7 @@ void ntlm_init_rc4_seal_states(NTLM_CONTEXT* context) } } -void ntlm_compute_message_integrity_check(NTLM_CONTEXT* context) +void ntlm_compute_message_integrity_check(NTLM_CONTEXT* context, BYTE *mic, UINT32 size) { /* * Compute the HMAC-MD5 hash of ConcatenationOf(NEGOTIATE_MESSAGE, @@ -729,6 +731,8 @@ void ntlm_compute_message_integrity_check(NTLM_CONTEXT* context) */ WINPR_HMAC_CTX* hmac = winpr_HMAC_New(); + assert(size >= WINPR_MD5_DIGEST_LENGTH); + if (!hmac) return; @@ -740,7 +744,7 @@ void ntlm_compute_message_integrity_check(NTLM_CONTEXT* context) context->ChallengeMessage.cbBuffer); winpr_HMAC_Update(hmac, (BYTE*) context->AuthenticateMessage.pvBuffer, context->AuthenticateMessage.cbBuffer); - winpr_HMAC_Final(hmac, context->MessageIntegrityCheck, WINPR_MD5_DIGEST_LENGTH); + winpr_HMAC_Final(hmac, mic, WINPR_MD5_DIGEST_LENGTH); } winpr_HMAC_Free(hmac); diff --git a/winpr/libwinpr/sspi/NTLM/ntlm_compute.h b/winpr/libwinpr/sspi/NTLM/ntlm_compute.h index ba99c81..df06e37 100644 --- a/winpr/libwinpr/sspi/NTLM/ntlm_compute.h +++ b/winpr/libwinpr/sspi/NTLM/ntlm_compute.h @@ -57,6 +57,6 @@ void ntlm_generate_client_sealing_key(NTLM_CONTEXT* context); void ntlm_generate_server_sealing_key(NTLM_CONTEXT* context); void ntlm_init_rc4_seal_states(NTLM_CONTEXT* context); -void ntlm_compute_message_integrity_check(NTLM_CONTEXT* context); +void ntlm_compute_message_integrity_check(NTLM_CONTEXT* context, BYTE *mic, UINT32 size); #endif /* WINPR_AUTH_NTLM_COMPUTE_H */ diff --git a/winpr/libwinpr/sspi/NTLM/ntlm_message.c b/winpr/libwinpr/sspi/NTLM/ntlm_message.c index b5d7fe3..23f77de 100644 --- a/winpr/libwinpr/sspi/NTLM/ntlm_message.c +++ b/winpr/libwinpr/sspi/NTLM/ntlm_message.c @@ -917,9 +917,9 @@ SECURITY_STATUS ntlm_write_AuthenticateMessage(NTLM_CONTEXT* context, PSecBuffer if (context->UseMIC) { /* Message Integrity Check */ - ntlm_compute_message_integrity_check(context); + ntlm_compute_message_integrity_check(context, message->MessageIntegrityCheck, 16); Stream_SetPosition(s, context->MessageIntegrityCheckOffset); - Stream_Write(s, context->MessageIntegrityCheck, 16); + Stream_Write(s, message->MessageIntegrityCheck, 16); Stream_SetPosition(s, length); } @@ -947,7 +947,7 @@ SECURITY_STATUS ntlm_write_AuthenticateMessage(NTLM_CONTEXT* context, PSecBuffer if (context->UseMIC) { WLog_DBG(TAG, "MessageIntegrityCheck (length = 16)"); - winpr_HexDump(TAG, WLOG_DEBUG, context->MessageIntegrityCheck, 16); + winpr_HexDump(TAG, WLOG_DEBUG, message->MessageIntegrityCheck, 16); } #endif @@ -961,6 +961,7 @@ SECURITY_STATUS ntlm_server_AuthenticateComplete(NTLM_CONTEXT* context) UINT32 flags = 0; NTLM_AV_PAIR* AvFlags = NULL; NTLM_AUTHENTICATE_MESSAGE* message; + BYTE messageIntegrityCheck[16]; if (context->state != NTLM_STATE_COMPLETION) return SEC_E_OUT_OF_SEQUENCE; @@ -988,15 +989,15 @@ SECURITY_STATUS ntlm_server_AuthenticateComplete(NTLM_CONTEXT* context) { ZeroMemory(&((PBYTE) context->AuthenticateMessage.pvBuffer)[context->MessageIntegrityCheckOffset], 16); - ntlm_compute_message_integrity_check(context); + ntlm_compute_message_integrity_check(context, &messageIntegrityCheck, sizeof(messageIntegrityCheck)); CopyMemory(&((PBYTE) context->AuthenticateMessage.pvBuffer)[context->MessageIntegrityCheckOffset], message->MessageIntegrityCheck, 16); - if (memcmp(context->MessageIntegrityCheck, message->MessageIntegrityCheck, 16) != 0) + if (memcmp(messageIntegrityCheck, message->MessageIntegrityCheck, 16) != 0) { WLog_ERR(TAG, "Message Integrity Check (MIC) verification failed!"); WLog_ERR(TAG, "Expected MIC:"); - winpr_HexDump(TAG, WLOG_ERROR, context->MessageIntegrityCheck, 16); + winpr_HexDump(TAG, WLOG_ERROR, messageIntegrityCheck, 16); WLog_ERR(TAG, "Actual MIC:"); winpr_HexDump(TAG, WLOG_ERROR, message->MessageIntegrityCheck, 16); return SEC_E_MESSAGE_ALTERED; -- 2.7.4